Back in May and then again in July, I noted several
articles about Lewis-Palmer School District 38 in Colorado.
A parent had raised concerns about whether the Infinite
Campus platform might have compromised more than 2,000 students’ personal and
academic information. The parent also
alleged that the district had known about the problem since September but had
taken no action to address the security concerns.
Sherrie Peif of The Complete Colorado described
it as a “probable” security breach and reported that after being walked through the process, they
discovered that
anyone could easily access the
personal information of any student in the district, including names,
addresses, and phone numbers for students, parents, siblings, and emergency
contacts; schedules; attendance records; grades; locker numbers and
combinations; transportation details, including where and when bus pickups take
place; and health records.
Rather than forthrightly acknowledge the problem and
address it, the district had taken the position
that maybe there was a vulnerability but that anyone who exploited it would be
engaging in criminal conduct. [Does that make them guilty of aiding and abetting any crime committed with
their data? Bob] On further investigation, and having
discovered that some files were accessed, they shut down the student portal access and student accounts.
Bill Fitzgerald commented on the original post and then wrote his own article on the security concerns and the district’s
response.
In July, the district reported that an independent
investigation had concluded that no security breach or compromise of student information had
occurred in May.
But now the district is trying to get criminal charges
filed against the concerned parent who raised the issue and kept calling
attention to it.
And that’s just plain wrong on so many levels.
The Complete Colorado, which has been doing an
admirable job of local investigative reporting, revealed more about the
vulnerability, and from their description, the parent was absolutely justified
in sounding alarms and persisting in trying to get the inadequate security
remedied:
The district uses Google Apps for
Education (GAFE), a hosting solution by Google that incorporates Google mail,
calendar, and chat services. Lewis-Palmer
used it for student email accounts, which at that time consisted of the
student’s district identification number. system [sic] used by the district
allowed anyone with email address in the system to download a complete contact
list of district students. The list
identified students’ names and district email addresses. Because student email accounts were comprised
of the student ID, anyone who gained access to this list only needed to know
the students’ birthdays to access another program, Infinite Campus, which
contains the personal data of possibly thousands of students.
Pfoff and others maintain there
was additional knowledge needed to gain access or “advanced cracking skills,”
but they have not addressed the fact that information was provided by the
district on the home page of the Infinite Campus website for nearly three
years. On Aug. 9, 2013 the district
posted: “Due to a security enhancement within Infinite Campus, your network and
IC passwords have been changed! You must
now enter the prefix LP@ before your regular birthday password (i.e. LP@031794).”
It is unknown how many contact
lists were downloaded and shared over that time. But the district only contracted for the last
year to be scrutinized.
Read more on The Complete Colorado, where they also provide a
chronology of this case and information from a recorded conversation between a
parent and school district personnel.
For my students who use the Opera browser.
Opera sync system hacked, passwords of 1.7 million users
reset
Opera says the sync feature on its browsers was recently
hacked, and data of some of its users was compromised. As a security measure, the Norway-based
software firm is forcing all sync users to reset their passwords.
Update. If true, I
hope they bought lots of “Call” options.
If false, God help them – I guess they’ll try to make it to Brazil
before anyone finds out. Their statement
reads like wishful thinking by their lawyers.
Have they actually tried the hack MedSec says works?
St. Jude Refutes Medical Device Vulnerability Claims
… According to a
report published on Thursday by MedSec and Muddy Waters, St. Jude’s products lack proper encryption and authentication. While the report contains only limited
technical details, MedSec says it has developed proof-of-concept exploits that
could be used to cause cardiac devices to malfunction or drain their battery at
a very fast rate.
Instead of reporting its findings to St. Jude through the
company’s responsible disclosure program, MedSec contacted Muddy Waters, which
used the information to short St. Jude stock.
… In a statement published on its website on Friday, St. Jude said
it examined the allegation made by Muddy Waters and MedSec and determined that
the report is “false and misleading.”
Update. More
details on the ATM theft my students found so amusing. Sounds like ATMs are easy to hack.
The malicious software used earlier this month to steal 12 million baht
($346,000) from ATMs at banks in Thailand might be a new ATM malware variant
called RIPPER, FireEye researchers reveal.
The new malware sample was originally observed on Aug. 23, 2016, when
it was uploaded to VirusTotal from an IP address in Thailand, just minutes
before the
12 million baht theft made it to the headlines. According to FireEye researchers, the sample also uses some techniques
not seen before.
… The group behind
this operation installed malware into multiple cash machines run by Thailand's
state-run Government Savings Bank (GSB) in late July. The thieves were linked to the previously revealed $2.5 million heist
in Taiwan, where a group of foreigners stole money from cash machines using a
similar method.
The new malware variant packs a series of features that
tie it to previous ATM malware, such
as its ability to target the same ATM brand, or the use of the same strategy as
Padpin
(Tyupkin), SUCEFUL, and GreenDispenser, to expel currency.
… However, the
sample also shows a range of new capabilities, starting with its ability to target three of the main ATM Vendors
worldwide, something that no other malware did before, FireEye says.
What’s more, RIPPER is being installed
on the ATM through the insertion of a specially manufactured ATM card with an
EMV chip that serves as the authentication mechanism.
Eventually, it will be better than I am at recognizing
faces. I wonder what their ‘false
positive’ rate is?
New York's smarter face recognition catches more ID thieves
Sometimes, behind-the-scenes tech upgrades can make a big
difference. New York's Governor Cuomo reports
that an overhaul of the state DMV's face recognition software in January has
led to more than 100 arrests and 900 open investigations so far. The trick? The new system checks 128 points on a face
instead of 64, dramatically increasing the chances that it'll match a photo
against the DMV's database.
… New York isn't
alone in using face recognition in the US, let alone the world. As Ars Technica notes,
there are 39-plus states relying on it in some capacity
Somehow (years of experience perhaps) I knew they would be
inadequate for the job. Perhaps nothing
will be totally successful, but the more people trying the better.
U.S. Revamps Line of Attack in Social-Media Fight Against
Islamic State
Recent initiatives by technology companies to push back
against Islamic State’s social-media messaging highlight a sobering fact: The
U.S. government’s battle on that front has mostly sputtered.
In a number of terrorist attacks over the past year, the
attackers were found to have been inspired by Islamic State propaganda and
videos, which are often described as Hollywood-level productions. Despite numerous military victories against
Islamic State, U.S. officials acknowledge they have struggled to counteract the
terrorist group’s online campaign.
Is this just another way of saying “class action?”
The Information-Forcing Role of the Judge in Multidistrict
Litigation
by Sabrina
I. Pacifici on Aug 28, 2016
Bradt, Andrew and Rave, D. Theodore, The
Information-Forcing Role of the Judge in Multidistrict Litigation (August 23,
2016). California Law Review, Forthcoming. Available for download at SSRN: http://ssrn.com/abstract=2828461
“In this article, we address one of the most controversial
and current questions in federal civil procedure: What is the proper role of
the judge in the settlement of mass-tort multidistrict litigation, or MDL? Due to the Supreme Court’s hostility to class
actions, MDL proceedings have begun to dominate the federal civil docket. To wit, nearly half
of the federal civil caseload is MDL. Although MDL is structurally different from a
class action, the procedure replicates — and in many ways complicates — the principal-agent
problems that plagued the class action. Like
a class action, nearly all MDL cases are resolved by a comprehensive global
settlement agreement, but, unlike a class action, in MDL the judge has no authority to reject a settlement agreement as unfair
to the potentially thousands of parties ensnared in the litigation. Here, we argue that, given this limitation,
the judge should act as an “information-forcing intermediary,” who reserves the
right to offer a non-binding opinion about the fairness of the settlement to
send an easy-to-understand signal directly to the parties about their lawyers’
performance. Such a signal will mitigate
many of the agency problems inherent to MDL and allow parties to exercise
informed consent when choosing whether to accept a settlement. More generally, this article is a call for
judges to embrace an information-forcing role at the head of consolidated MDL
proceedings.”
Interesting. I
wondered if there really was a market for people to watch others play video games,
then I remembered that people watch poker on TV. So, maybe?
Facebook has finally made its move against one of Amazon's
biggest properties
Useful?
How to Automatically Send Pocket Articles to Your Kindle
If there are any two platforms that belong together
it’s read-it-later service Pocket
and Amazon’s Kindle e-reader or app. If
you want to connect the two, you can not only do that but can also
automate the process.
With P2K,
you can choose from a weekly, daily, or one-time digest. You can choose the exact time the digest will
be delivered, and how many articles it will include.
… In order to
create that connection between P2K and your Kindle account, you will need to
provide the Kindle email address necessary to deliver the articles. This email address can be found on your Kindle settings page under the “Send-to-Kindle E-Mail
Settings” heading.
You will also need to add the address delivery@p2k.co
to the “Approved Personal Document E-mail List”, which can be found on the same
settings page.
A couple of these are new to me.
26 must-have apps for college life
Reverso Translator
(Free)
Another great tool if you're taking a language class. It's time you graduated from Google Translate,
because Reverso actually gives you vocabulary in real contexts. Now you can really figure out if you mean bonita
or bastante (big difference).
(iTunes) (Google Play)
Smart Voice Recorder
& Voice Recorder Free
As long as you don't put it on the Internet or something, recording lectures is
a great idea. Review them for finals,
clarify something for your notes, or share lectures with friends. hese apps are a great if you want something a
little better than Voice Memos, but that's sufficient as well.
(Smart Voice Recorder for Google Play) (Voice
Recorder Free for iTunes)
Also something my students should look into.
How to Access Lynda.com’s Online Courses for Free
… The potentially
good news is that you may be able to access all of Lynda.com for free. All you have to do is visit one of your local
libraries and see if they provide free Lynda.com access to members (library
membership is free).
No comments:
Post a Comment